TABLE OF CONTENTS

Introduction

We know that information security and data protection are fundamental, extremely complex and dynamic issues for our customers. Therefore, chemmedia is committed to the highest standards of IT security, strict compliance with all legal requirements, regular review and adaptation of its software solutions, and actively informing its customers.

Below you will find an overview of our essential measures to ensure information security and compliance with data protection in our software. The aim is to guarantee the availability and resilience of the systems (e.g. protection against theft, destruction, downtimes, loss of data carriers), the integrity of the software and the data (e.g. protection against intentional or negligent falsification of programs, manipulation of files) as well as the confidentiality of your data (e.g. protection against unauthorised access to file contents).

Please understand that for security reasons we cannot release any further internal documentation.

Information Security

Infrastructure


Knowledgeworker is based on an IT infrastructure that is highly available, performant, secure, scalable, distributed and up-to-date. The servers for our software systems are located in the European Economic Area. For the provision of the technical infrastructure, we mainly use the following subcontractors:


Amazon Web Services (AWS)

Managedhosting.de GmbH

Domainfactory


The Software-as-a-Service applications offered by chemmedia are based on services that are operated in the aforementioned data centres. Depending on the data centre, services of the hosting provider or components operated by chemmedia are used as infrastructure components. This includes, for example, access management, auditing, firewall and network security, load balancing, scaling and redundancy of critical services.


There is a strict separation of test and production environments. We follow the Secure Design Principles, e.g. Minimise Attack Surface, Secure Defaults, Fail Securely, Least Privilege and Separation of Duties. Throughout software development, there are concrete guidelines for linking architectural components in order to reduce the possibility of attacks.

Web and Mobile Applications

Knowledgeworker is a software suite for e-learning and digital communication. The suite currently consists of the following modules:

Knowledgeworker Create is a web-based learning content management system for developing interactive, responsive learning content. The system supports the collaboration of several authors and the multiple use of content once it has been created. The content can be adapted to different target groups, languages or local characteristics with little effort to achieve the greatest possible flexibility.

Knowledgeworker Share
is a web-based learning and communication platform on which digital educational and information offers can be made available to different user groups in a target group-specific and fast way. The platform enables digital communication of the users (social media functionalities) as well as a comprehensive evaluation of the further education and communication measures.

Knowledgeworker Coach is a web-based interactive virtual behavioural trainer that prepares users for specific situations, such as communication with different target groups or dangerous situations. Knowledgeworker Coach is a web application with which situation trainings can be created, which can then be used independently or as part of e-learning.

Knowledgeworker Cards is a flashcard app for mobile devices (iOS, Android) that enables self-directed learning and helps users recap content.

For all these modules, a distinction is made below if the security-relevant aspects of the modules have been differentiated differently.

Cryptography

Only widely accepted methods that are recognised as secure are used for encryption.

The connections to the web server are made exclusively via HTTPS. TLS is activated for all connections and configured so that the strongest available encryption algorithm with Perfect Forward Secrecy (PFS) is used. Insecure procedures and algorithms are deactivated. An HTTP Strict Transport Security Header (HSTS) is sent. The server certificates used are always valid and issued by a trustworthy CA.

Datacenter Managedhosting.com

Access to all servers and services in the data centre is only available via a secure VPN tunnel from the company network and only by authorised personnel. Login to the servers is only possible with personalised SSH keys. Other access points or protocols are deactivated.

There is no hard disk encryption, as this is not suitable in a Tier III data centre to increase the access security to data. Encryption of the data carrier itself only protects against physical theft of the device if a key or smart card is required when the device is put back into operation or a password has to be entered to decrypt the data carrier. We can rule out the possibility of the storage backend or individual data carriers being stolen from our data centre. Only employees of our company have physical access to the IT infrastructure. This is ensured by appropriate processes and security mechanisms.

AWS data centre

Access to servers and services at AWS is exclusively via encrypted temporary connections by authorised personnel. There are no permanent connections to chemmedia (internal) networks or third-party providers or subcontractors.

For all data, data at rest encryption is used on the basis of the AWS Key Management Service.

Knowledgeworker Create, Coach and Share

In Knowledgeworker Create, Coach and Share user passwords are managed as cryptographically encrypted data. They are stored using a one-way encryption algorithm that is recognised as secure, a so-called Cryptographic Hash Function (CHF), i.e. not in plain text.

Knowledgeworker Cards

The Knowledgeworker Cards app is used anonymously and does not manage user accounts that need to be protected with cryptographic methods.

Authentication / Identity Management

Knowledgeworker Create

The following password features can be configured:

  • Minimum and maximum number of characters in total
  • Minimum number of digits, letters and special characters
  • Quantity of special characters allowed
  • Maximum number of failed login attempts before the user is automatically deactivated
  • Maximum validity period in days

Knowledgeworker Create supports two-factor authentication via the OTP app. This must be initially activated by the user. In addition, a start and an end date of the user account can be set (automatic activation/deactivation of the account). Logging in to the system is only possible within this period. If the user's password has expired, the user must change it the next time he logs in. He cannot work in the system without changing it.

If the user enters the password too often (default = 10 times) his account will be deactivated and can only be reactivated by the personal administrator. The administrator can reset the attempts, reactivate the user and force a password change if necessary. If the user forgets his password, he can reset his password himself via Password Recovery. After requesting a new password, the user will receive an email to their registered email address and can set a new password themselves.

Knowledgeworker Cards

In the standalone application Knowledgeworker Cards no user accounts are managed. The app is used anonymously.

Knowledgeworker Share

The password policy is configurable and can therefore be customised according to the guidelines of the respective client. The following features can be configured:

  • Minimum and maximum number of characters in total

  • Minimum number of digits, letters and special characters

  • Maximum number of failed login attempts

  • Maximum period of validity in days


If the password is forgotten, the users can reset the password themselves via password recovery. After requesting a new password, the users receive an e-mail to the e-mail address they have provided and can set a new password themselves.

Access Management in the Knowledgeworker Suite

Knowledgeworker Create

All access in Knowledgeworker Create is granted on a person-by-person basis. Knowledgeworker Create offers a flexible system based on domains and roles to specifically grant or restrict access. In the standard system, different roles with defined permissions are available (e.g. author, reviewer). The permissions of the roles can be customised.

Additional roles can be created individually.

The authorised user can check the existing users directly in Knowledgeworker Create and deactivate them if necessary. With the deactivation, the subsequent pseudonymisation can be triggered at the same time.

Courses created in Knowledgeworker Create can be exported by authorised users and are then no longer subject to access control by Knowledgeworker Create.

Knowledgeworker Create also offers the possibility to publish content via the chemmedia service "kw.my". In this case, the publishing author decides on password protection and availability period. There is no further personalised authentication or logging of access.

Knowledgeworker Share

Knowledgeworker Share offers user roles with defined rights (e.g. Global Administrator, Administrator of Users, Author, User, Report Manager). Individual users can also be assigned several roles.
Content is made available to specific users via categories and user groups. In this way, individual departments, regional units or specialist areas, for example, can be reached individually.
We will be happy to provide you with an overview of the roles and rights concept in Knowledgeworker Share.

The personal administrator has the right to view and edit all personal data in the system. In doing so, the person administrator can assign additional security roles to other users or revoke them and thus assign or revoke permissions.

Knowledgeworker Coach

Knowledgeworker Coach uses a role- and domain-based authorisation concept. Domains are used to define workspaces in which certain users have direct access. Roles are used to define the permissions in the domains.

Knowledgeworker Cards

Knowledgeworker Cards as an app with anonymous use without a user account has no authorisation system.

Access Management for Technical Administrators

Only authorised chemmedia personnel have access to the servers in the data centres. Each employee is granted access rights to services and servers according to the least privilege principle. Communication with the data centre is always encrypted or via VPN tunnel.

Datacenter Managedhosting.com

Network access control is achieved through network segmentation: the central firewall controls the access of technical administrators to certain network segments. The central and local firewalls restrict access based on various criteria. SSH access is only possible via public key procedures. Administrator accounts are strictly separated from standard accounts.

SSH access is managed via a configuration management system. Adjustments to the configuration of systems are made exclusively via the configuration management system. All changes are logged.

We use a central identity provider with almost company-wide SSO integration. If a user is deactivated, their access to all connected systems is automatically deactivated.

Datacenter AWS

Access to AWS services is exclusively via temporary (depending on the application between 1-4 hours) access data based on MFA secured federated identities.

All accesses, changes to and transactions with the infrastructure are logged in the AWS Cloudtrail.

Data Handling

In all applications, input validation is carried out for untrusted data (e.g. user input) in order to exclude resulting errors. This includes an automated validation of structured data inputs in XML and JSON formats as well as a check of technical limitations such as size or length. The validation of data is optionally carried out in clients, but it is always mandatory on the server side. In addition to validation, software facilities such as sanitisation or parameterised queries ensure that faulty data are not interpreted and executed (injection).
Sensitive data is transferred exclusively via HTTP body or header. User passwords, for example, are never sent as URL parameters.

To avoid access to sensitive data such as passwords or tokens, these are neither stored in clients (e.g. in local storage) nor kept in caches.
There is no data flow from production systems into the development environments.

Backup

Backups are copies of your data that we create automatically. They are used to restore your data in the rare event that, despite our numerous security precautions, data is lost due to technical faults or other incidents.

The data (database, application data) is backed up once a day. During this time, the usability of the system may be restricted for a short time. The backed-up data is stored for one week and then deleted. The data is stored redundantly on a second secure server. In the event of an error, it is possible to switch to a backup system. We cannot accept any liability for data that has not yet been backed up (max. 24 hours).

System Monitoring and Incident Management

All systems and services of the chemmedia infrastructure are continuously (24/7) monitored automatically, continuous basic checks of relevant services and parameters are carried out. In addition, individual checks are carried out depending on the Knowledgeworker module (application).
Check intervals, notification actions and frequency, etc. are configured according to the classification of the system or service (criticality). This means that a responsibility matrix with responsibility and escalation levels is implicitly stored in the monitoring.
If an incident is recorded by this system, identified by an employee in daily operations, or reported by a customer or third party, information is immediately sent to IT and, as far as possible at this point, to the responsible specialist department for categorisation and prioritisation.
If a security incident in the sense of an attack or intrusion is to be assumed, the system is isolated to prevent data manipulation and a copy is made. The incident is then processed and analysed in order to restore the normal operation of the compromised service/system as quickly as possible.
The process is comprehensively accompanied by an internal and external ticket system in order to transparently document the course of the incident and to enable a downstream problem analysis.

Audit Capability in the User Area

Knowledgeworker Create

Knowledgeworker Create has a detailed change history with a record of the actor, timestamp and indication of changes at object and property level. It allows fine-grained before-after audits for changes and other actions.
Successful and failed login attempts are also recorded.

Knowledgeworker Coach

Knowledgeworker Coach tracks changes based on simple creator and last editor details with timestamps.

Knowledgeworker Cards

No change tracking is available in Knowledgeworker Cards because the data cannot be edited. The personal learning history is recorded for a limited time and can optionally be extracted, permanently stored and evaluated.
The content for Knowledgeworker Cards is created and revised in Knowledgeworker Create. A detailed change history is available there.

Knowledgeworker Share 

The versioning of content ensures that it can be traced at any time which user has carried out which version of a content.

Patch Management & Updates

There is a regular check of the services and products used. These must be within the life and maintenance cycle. Updates and upgrades are carried out to close potential security gaps, correct errors and expand the applications.

Risk Analysis

In regular security jour fixes between the respective product owner, the involved software architects and important stakeholders, a continuous risk analysis and security-related improvement of the Knowledgeworker products takes place.

Software Development

There are binding development guidelines for all Knowledgeworker developers, which are based on the Java Secure Coding Guidelines, among others. These are already part of the onboarding process for new employees. To ensure the high quality of our software products, we rely on continuous integration with automated tests. Our software development is agile, with continuous software-supported planning, prioritisation, documentation and evaluation. All newly developed components go through a review and acceptance process before they are integrated into the live product. All components should use the same character encoding on client and server side, the correct content type is determined via the HTTP header.

Validation of Knowledgeworker

chemmedia AG has been supporting numerous customers from regulated industries (e.g. pharmaceuticals, finance) for more than 15 years and is familiar with the corresponding requirements. A validation of the software according to the client's specifications (URS) can be carried out. Please note that a re-validation should take place with every significant update of the software.


Graphical illustration of the validation process

Validation process based on the User Requirement Specification by the client


External Security Audit

We perform standardised, automated application scans for the Knowledgeworker Suite at regular intervals. All relevant results of the security tests are remedied immediately. Further tests can be commissioned or carried out by the customer.



Data Protection

Order Processing

When providing the Knowledgeworker modules as Software as a Service (Cloud), chemmedia AG acts as a commissioned processor in accordance with Art. 28 GDPR. Therefore, a contract on commissioned processing must be concluded between the client and chemmedia AG upon commissioning.

Personal Data in Knowledgeworker

The following personal data is collected in Knowledgeworker Suite:

  • First and last name or freely selectable user name for personalisation, interaction with other users, presentation to other users.
  • E-mail address for verification of the user and for resetting the password.
  • Profile picture for personalisation and presentation to other users. Entry is voluntary.
  • IP addresses are temporarily logged at two central locations to ensure security and prevent cybercrime:
    • 1) Load balancer: maximum retention time 52 days.
    • 2) Web server cluster : maximum retention time 14 days
    • 3) Knowledgeworker Audit Trail: no time limit.

In addition, the following data is recorded in Knowledgeworker Create and Knowledgeworker Coach:

  • Other details such as company, department, position or telephone contact details for personalisation and to ensure accessibility by other users. The entry of this data is voluntary.
  • Usage data to track edits and suggest relevant content.
  • Knowledgeworker Create stores login data (login event with date and IP) permanently.

In addition, the following data is collected in Knowledgeworker Share:

  • Usage data to improve the app, provision of learning information (e.g. viewing and completion of content) and community information (likes, comments), suggestions for relevant posts.
  • Knowledgeworker Share can be configured individually. Collection of further personal data is possible, depending on the operator's settings. The following data can be collected, among others: External ID (e.g. users' customer or personnel number), activation and deactivation date (e.g. hiring and leaving date), release period, title, address, gender, address, position, department, location.

Data Collection in Knowledgeworker

Personal data can be collected in the context of app use in the following ways in particular:

  • The user enters the data himself (e.g. username and email address).
  • The data is provided by the organisation and imported into the system automatically or manually.
  • The data is automatically collected by the systems of chemmedia AG or the service providers commissioned by it (e.g. analysis data).
  • The data is collected on the basis of the access rights required by the respective app and the settings of the respective user (e.g. location data).

Data Processing and Subcontractors in Knowledgeworker

An overview of all subcontractors for the provision of our Knowledgeworker services can be found here: https://www.knowledgeworker.com/legal/sub-processors.html
Data processing takes place, with the exceptions described below, in the member states of the European Union or in another contracting state of the Agreement on the European Economic Area.
Regarding AWS: We only use the AWS infrastructure units and only AWS services in the EU (AWS regions). Thus, according to the AWS overview, only subcontracted processors based in the EU are currently used. We cannot completely rule out the possibility that a third-country transfer may take place. However, since the data is encrypted both in Transit and at Rest, it would be protected even in the event of a transfer. AWS has no access due to its architecture (strict separation of infrastructure operation, server, hypervisor and [customer] data).
Contracts on commissioned processing have been concluded with all data-processing subcontractors. The data transfer to AWS is based on Art. 46 (2) d) GDPR. The Standard Contractual Clauses of the EU Commission of 04 June 2021 were agreed. Furthermore, additional technical and organisational measures have been taken to protect the personal data of our customers (see section "Technical and organisational measures").

Reporting and Evaluation 

Knowledgeworker Share is a lean learning management system (LMS) in which e-learning courses can be provided, assigned to users and subsequently the implementation of further education activities can be verified. Knowledgeworker Share provides various pre-configured evaluation options for this purpose. A configuration as well as a partial anonymisation of the reports is possible.
E-learning courses created with Knowledgeworker Create, Coach and/or Cards can be imported into most common learning management systems (LMS). Communication between the course and the LMS is done using the e-learning standard SCORM.
In addition to the user-specific evaluation, a completely anonymised and cumulative evaluation of the e-learning activities is also possible. This means that no training record of individual participants is possible, but rather the acceptance and use of the various courses can be evaluated.

Anonymisation, Pseudonymisation and Deletion

Deactivation, anonymisation, pseudonymisation or deletion of a user in a Knowledgeworker application is based on the deletion concept. Accordingly, deletion is only possible on the written instruction of an authorised employee of the customer. After termination of the licences by the customer, the deletion of the client as well as the associated users and contents takes place according to the contractually agreed deadlines.
A deletion of the data in the backups of the applications does not take place by default.

Knowledgeworker Create

At the request of the client, the pseudonymisation process can be set up. As soon as a user has been deactivated, the pseudonymisation process starts. There is a default target date. The authorised person can also determine the target date himself and thus overwrite the default target date. Pseudonymisation is carried out for all fields that contain personal data. These data are hashed. The user's profile picture is deleted. If a default avatar is used, it will no longer be used.
If pseudonymisation is imminent, the licence management and the form for editing the user are displayed to the administrator directly after login.
If a user is reactivated, the planned pseudonymisation is deleted.
Knowledgeworker Create is no longer able to identify the user after pseudonymisation. Should it be necessary to identify the user again at a later date, the person ID displayed on the user's name must be stored in a secure, authorised location.

Knowledgeworker Coach

For the Knowledgeworker Suite module Coach, we ensure the pseudonymisation or anonymisation of personal data in selectable time periods in a semi-automated process.

Knowledgeworker Share

Anonymisation of user data is possible. Based on the user's exit date, which is maintained by the personal administrator, the personal data is automatically anonymised after a selectable period of time (1, 2, n years).

Privacy Statements in Knowledgeworker

For each Knowledgeworker module there is a standard privacy statement available for all users on the home page and in the respective system (public cloud).

Knowledgeworker Create & Coach

Knowledgeworker Share

  1. https://www.knowledgeworker.com/legal/share-privacy-de.html
  2. https://www.knowledgeworker.com/legal/share-privacy-en.html

Knowledgeworker Cards

Knowledgeworker Share is a system provided and configured especially for the client. It is pointed out that the client is responsible for the provision, correctness and completeness of the data protection declaration and the imprint. chemmedia AG will be happy to provide the necessary technical information on the systems.

Technical and Organisational Measures

We have taken technical and organisational measures to ensure the protection of personal data with regard to their need for protection and taking into account economic reasonableness. The technical and organisational measures can be requested by e-mail to [email protected].
To ensure and support our organisational measures for information security and data protection, chemmedia has an IT security guideline that is binding for all employees and a data protection instruction, including regular training courses on data protection and data security.
With regard to the transfer of data to AWS, we have carried out a transfer impact assessment and taken additional security measures:

  • Server location Europe, currently Frankfurt and Paris (data residency).
  • Encryption of the transmitted personal and security-relevant data in transfer and at rest to prevent unauthorised access: "AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext keys from the service". (https://aws.amazon.com/kms/features/)

Emergency Plan

In the event of emergencies affecting the functioning of our IT systems, a Business Continuity Plan (BCP) is applied. The BCP defines an emergency definition, a list of responsible persons, a list of relevant systems and service providers, required notifications and appropriate emergency measures.